Method for remotely controlling and/or regulating a system

ABSTRACT

The invention relates to a method for remotely controlling and/or regulating at least one system ( 1 ), in particular an industrial system using a communications device ( 2 ) which is assigned to the system ( 1 ), and at least one receiver device ( 3 ), information relating to the system being transmitted from the communications device ( 2 ) to the at least one receiver device ( 3 ), the information containing a validation code which is generated by the communications device ( 2 ), a message being received by the communications device ( 2 ), the communications device ( 2 ) extracting a check code and instruction information from the message according to a first extraction rule, the communications device ( 2 ) validating the message by means of the validation code and check code, and the instruction information being implemented by the system ( 1 ) only when the validation is successful.

TECHNICAL FIELD

The invention relates to the field of controlling and/or regulatingremotely located systems. It relates to a method for remotelycontrolling and/or regulating a system, in particular an industrialsystem, in accordance with the preamble of the independent patent claim.

PRIOR ART

Possible ways of remotely monitoring, controlling and/or regulating arean increasingly important factor in the design in all types of systems,in particular in industrial systems and supply systems, for example inthe areas of electricity, water and heat. Such possible ways permitincreases in efficiency and flexibility when operating and maintainingthe systems, in particular with respect to customer service performancesand servicing performances, but also when complex systems are operatednormally, if a frequent intervention of operator personnel forfault-free operation of the systems is required. One aspect of theremote monitoring and control relates here to the transmission ofinformation relating to the system, for example in the form of a warningor of an alarm, and subsequent return transmission of instructioninformation as a reaction of the operator personnel.

EP 617350 discloses methods for remotely controlling heating orair-conditioning systems and for the performance of self-diagnosticswith remote transmission of diagnostic results. During theself-diagnostics, data of the heating or air-conditioning systemrelating to the diagnostics are sensed, processed and encoded by acommunications device and transmitted after a data link has been set upas diagnostic information to an external receiver device, at which theyare received, decoded and ultimately processed, displayed, printed outand/or stored. During the remote control, a data link is firstly set upfrom an external instruction device to the communications device andinstruction information is subsequently encoded in the instructiondevice, transmitted to the communications device, received there anddecoded and ultimately processed and/or executed in the communicationsdevice and/or a controller and/or regulator of the heating orair-conditioning system. Diagnostic information and/or instructioninformation can be transmitted here via a direct line, but it is alsopossible to use existing conventional information transmission systems,for example telecommunications systems of the Deutsche Bundespost suchas telephone, fax, Cityruf or the like for the transmission.

A problem with systems which can be remotely controlled and/or regulatedis the risk of intervention in the system by unauthorized persons. Ifthe communications device has a link to a public network, for example atelecommunications system of the Deutsche Bundespost, a link can be setup to the communications device by unauthorized persons withoutrelatively great difficulties. If a protocol for encoding/decoding theinstruction information is known, unauthorized persons can very easilytransmit instruction information to the communications device. If thisinformation is correspondingly executed by the controller and/orregulator, failures or even damage to the system may occur, and also,depending on the system, the surroundings and the environment may, undercertain circumstances, also be put at risk or damaged. EP 617350therefore proposes to carry out user authentication in thecommunications device before instruction information is actually input.For this purpose, a password or a code number containing theauthorization for access to the communications device and thus to thesystem must be input.

While the risk of access by unauthorized persons can largely beprevented by user authentication, there is nevertheless a certainresidual risk. This is in particular the case if the password or thecode number is, or becomes known, to unauthorized persons.

One particular risk is also constituted by what are referred to ashacker attacks. These are attacks by unauthorized persons who aim toguess the password and/or code number through repeated attempts. Inparticular, systems of this kind whose communications devices have linksto computer networks are particularly at risk here as the hacker attackscan be automated using computer programs and/or scripts so that a verylarge number of attempts at guessing a password and/or code number canbe carried out within a short time.

DESCRIPTION OF THE INVENTION

For this reason, the object of the invention is to specify a method forremotely controlling and regulating systems which effectively minimizesthe risk of manipulation by unauthorized persons and in particularprotects against hacker attacks.

The object of the invention is also to specify a reliable method forremotely controlling and/or regulating a system which does not require auser authentication to take place before actual transmission ofinstruction information, so that said method is simple and efficient.

These objects are achieved by means of a method as claimed in claim 1. Acommunication which comprises information relating to the system and avalidation code is dispatched, preferably to a receiver device which isdetermined in advance, by a communications device assigned to thesystem. As soon as the communications device receives a message at atime after the communication has been dispatched, a check code isextracted from this message according to a predefined rule. The originof the message is checked by means of the validation code and check codetaking into account the predefined rule, i.e. it is checked whether themessage originates from a receiver of the communication. It is thuspossible to use the validation code and check code to verify whether thereceived message constitutes a response to the dispatched communication.

Only in cases in which it has been successively checked that the messageoriginates from a receiver of the communication is instructioninformation both extracted from the received message in addition to thecheck code according to the predefined rule and processed and/orexecuted by the system.

If, on the other hand, it was not possible to use the validation codeand check code to verify that the received message constitutes aresponse to the dispatched communication, either the instructioninformation is not extracted at all from the message or the extractedinstruction information is ignored.

This object and further objects, advantages and features of theinvention become clear from the following detailed description of apreferred exemplary embodiment of the invention in conjunction with thedrawings.

BRIEF EXPLANATION OF THE DRAWING

FIG. 1 is a schematic view of a block circuit diagram of a system whichcan be remotely controlled and/or regulated by means of the methodaccording to the invention.

The reference numerals used in the drawing and their significance aresummarized in the list of reference numerals.

WAYS OF IMPLEMENTING THE INVENTION

FIG. 1 is a schematic view of a block circuit diagram of a system 1which can be remotely controlled and/or regulated in accordance with theinventive method by means of a communications device 2, which has asystem interface 21 and a network interface 22, and a receiver device 3.The network interface 22 has in each case at least one means fortransmitting and receiving communications and/or messages.

Data relating to the system is collected and, if appropriate,conditioned in the communications device 2, a connected data processingsystem and/or a subunit of the system 1. The data may relate directly orindirectly to the system 1. Said data may comprise, on the one hand,operating parameters such as, for example, temperatures, pressures, flowrates of substances, configuration parameters such as switch settings orvalve settings and, on the other hand, also ambient parameters such as,for example, ambient temperatures or the like. Said data may be, as inthe abovementioned examples, individual data items which can beexpressed by a single numerical value, but may advantageously alsocomprise complex data records which are preprocessed by a subunit of thesystem. Finally, the data is combined to form an information item. Here,the information item may be composed of only a single data item, but itcan also be composed of a multiplicity of data items or else be theresult of an analysis of data which has been carried out in thecommunications device 2, the connected data processing system or thesystem 1 itself.

A communication which contains the information is transmitted to areceiver device 3 by the communications device 2 via the networkinterface 21 when certain conditions are fulfilled. A condition for thetransmission of a communication is preferably an error in the system 1which is diagnosed when the data is evaluated. However, it is alsoconceivable that a communication is transmitted independently of a stateof the system 1, for example if a parameter which indirectly relates tothe system 1, such as the ambient temperature, exceeds or drops below acertain limiting value. In the aforesaid situations, the transmission ofthe communication constitutes, as it were, an alarm. The communicationcan, however, also be advantageously transmitted at a fixed time, on afixed day or on previously determined dates.

A validation code is added to the communication by the communicationsdevice 2. For this purpose, the information and validation code arecombined in accordance with a first combination rule. This isadvantageously carried out by appending information and validation code.If the information and validation code are composed of sequences ofcharacters, predefined control or special characters are advantageouslyinterposed as a separator during the appending process.

Preferably, the validation code is valid only once and has a limitedperiod of validity. The validation code is generated in a suitable way,for example by means of a random number generator so that it cannot bepredicted by unauthorized persons. The limited period of validity andthe fact that the validation code is valid only once make the system 1more difficult to manipulate by unauthorized persons in cases in whichthe validation code becomes known.

The method according to the invention is continued as soon as a messageis received by the communications device 2 via the network interface 21.The communications device 2 then extracts a check code from the messageaccording to a first extraction rule. The origin of the received messageis then checked by means of the validation code and the check code. Acheck code which is identical to the validation code is advantageouslyused for this purpose. The checking of the origin is then carried out bycomparing validation code and check code. To do this, when thecommunication is dispatched, a copy of the validation code must bestored so that it is available for the comparison when a message isreceived later. A limited period of validity of the validation code isadvantageously made possible in this case by virtue of the fact that avalidity information is stored together with the validation code.However, a checking procedure can also be advantageously be used withoutexplicit knowledge of the validation code. Thus, inter alia, specificproperties of the validation code can be used for checking, for exampleits checksum. The check code then only has to be checked for theseproperties, in the example the checksum.

In addition to the check code, instruction information is also extractedfrom the message in accordance with the first extraction rule. Only whenthere is successful checking by means of the validation code and checkcode is the instruction information passed on by the communicationsdevice 2 to the system 1 via the system interface 22 in order to beexecuted, if appropriate after previous processing. Here, a controldevice is preferably provided between the communications device 2 andsystem 1, the instruction information being transmitted to said controldevice and passed on from it to the system 1. If the checking was notsuccessful, the instruction information is ignored.

The first extraction rule is preferably configured in such a way thatthe check code and instruction information is extracted by cutting outparts of the message.

As is apparent from the previous explanations, one application of themethod according to the invention ensures that only a receiver of thecommunication, and thus of the validation code, is capable of issuinginstructions for remotely controlling and/or regulating the system 1. Inorder to do this, the receiver must firstly extract the validation codefrom the communication in accordance with a second extraction rule whichconstitutes a reversal of the first combination rule. From theinstructions which he intends to issue, he can generate a messagetogether with the validation code given knowledge of the firstextraction rule, from which the communications device 2 after havingreceived said message, extracts a check code, which check code leads tosuccessful checking of the message and thus to the extraction andimplementation of the instruction information. To do this, he must use asecond combination rule which ensures this.

In a further preferred embodiment of the method according to theinvention, dispatcher information is extracted from the message inaccordance with a third extraction rule. In the communications device 2,the dispatcher information is checked and the instruction information ispassed on from the communications device 2 to the system 1 and/orprocessed only in the case of successful dispatcher identification, i.e.correspondence between the dispatcher information and stored dispatcherdata of authorized users. The dispatcher information preferably containsa secret password or a secret code number. In this case, the operationis what is referred to as a strong user authentication, i.e. thedispatcher is authenticated as an authorized user by virtue of the factthat, on the one hand, he knows something—namely the password or codenumber—and, on the other hand, he possesses something—in the presentcase the receiver device 3 to which the communication was transmitted,or alternatively the communication which he has received with thereceiver device 3. Here, the receiver of the communication must add, inaccordance with a third combination rule, the dispatcher information toa message which he generates.

In one preferred embodiment of the method according to the invention,the validation code, check code and/or dispatcher information aretransmitted in encrypted form. To do this, the validation code and/ordispatcher information itself is preferably encrypted before it is addedto the communication or message in accordance with a first or thirdcombination rule. However, the entire communication and/or message canalso advantageously be encrypted. If the communications device 2receives an encrypted message, it must firstly be decrypted. If thecheck code or dispatcher information is present in an encrypted formafter extraction from the message, it is to be decrypted. If the messagecontains dispatcher information, the risk of manipulation byunauthorized persons is reduced further by encrypted transmissionbecause the dispatcher information cannot readily be acquired fromillegitimately monitored or intercepted messages. Even if code is to besubject to having a limited period of validity, encrypted transmissionis advantageous. In this case, validity information can be addeddirectly to the validation code, for example by appending. Manipulationof the validity information by the receiver is ruled out. Afterdecryption of the message or check code in the communications device 2,the validity information is available again in plain text. It is thusnot necessary to store the validity information.

In one preferred embodiment of the method according to the invention,the communication or the message is transmitted or received by means ofthe short message service (SMS) over a GSM or ISDN network.

In a further preferred embodiment of the method according to theinvention, the message is received via a public computer network,preferably the Internet.

The means such as communications device 2, network interface 21, systeminterface 22, receiver device 3 and control device which are used forcarrying out the method according to the invention in accordance withthe description above are to be understood as functional elements and donot necessarily need to be embodied as stand-alone physical units. Thus,the method can advantageously also be used to remotely control and/orregulate a system 1 in which the communications device and/or thecontrol device is integrated into the system 1. The communicationsdevice 2 can advantageously be integrated into an electronic computingsystem in which the control device is advantageously also implemented.The electronic computing system is advantageously also used as a dataprocessing system when data relating to the system is acquired andanalysed.

The method according to the invention can advantageously also be used inthe remote control and/or regulation of computer-based systems such as,for example, data processing systems, financial transaction systems ortrading systems.

The receiver of the communication will generally be a person. Thecommunication can in this case advantageously also be present in anaudible form and comprise, for example, a chronological sequence ofinformation and the validation code. However, it is also conceivable forthe receiver to be an electronic device which automatically generates amessage with suitable instruction information in response to thecommunication and transmits it back to the communications device 2.

LIST OF REFERENCE NUMERALS

1 System 2 Communications device 21 Network interface 22 Systeminterface 3 Receiver device

1. A method for remotely controlling and/or regulating at least onesystem, comprising: generating a validation code having a limited periodof validity, the validation code being variably generated to be validonly once for a communication to be dispatched, adding validityinformation to the validation code, which validity information definesthe limited period of validity of the validation code, combininginformation relating to the system and the validation code in accordancewith a first combination rule, dispatching the communication by acommunication device assigned to the system, the communicationcomprising the information relating to the system, the validation code,and the validity information, and receiving a message after thecommunication has been dispatched, processing the received message, theprocessing comprising; extracting a check code from the messageaccording to a first extraction rule, checking whether the messageoriginates from a receiver of the communication based on the validationcode and the check code, verifying whether the message is receivedwithin the limited period of validity defined by the validityinformation, and if the checking and the verifying are successful,extracting instruction information according to the first extractionrule from the message and implementing the instruction information bythe system.
 2. The method as claimed in claim 1, wherein the adding ofthe validity information to the validation code comprises appending orprefixing the validity information to the validation code.
 3. The methodas claimed in claim 1, wherein the validation code is generated by arandom number generator.
 4. The method as claimed in claim 1, whereinthe validity information is directly added to the validation code, inthe dispatching, the validation code is transmitted in an encryptedform, and after a decryption of the message or check code in thecommunications device, making the validity information available inplain text, wherein the validity information is not stored in thecommunication device.
 5. The method as claimed in claim 1, comprisingencrypting the validation code before the combination in accordance withthe first combination rule.
 6. The method as claimed in claim 1,comprising transmitting the check code in encrypted form.
 7. The methodas claimed in claim 1, comprising: generating dispatcher information bythe receiver of the communication, adding, by the receiver of thecommunication, the dispatcher information to the message which thereceiver generates, extracting the dispatcher information from thereceived message in accordance with a third extraction rule, identifyingthe dispatcher based on the dispatcher information and stored dispatcherdata, if the checking, verifying, and identifying are successful,implementing the instruction information by the system, after the checkcode and dispatcher information have been extracted from the message,and if at least one of the checking, verifying, and identifying is notsuccessful, ignoring the instruction information.
 8. The method asclaimed in claim 7, wherein the dispatcher information contains a secretpassword or a secret identification number.
 9. The method as claimed inclaim 7, comprising transmitting the dispatcher information in anencrypted form.
 10. The method as claimed in claim 7, comprisingencrypting the dispatcher information before adding the dispatchedinformation to the message in accordance with a third combination rule.11. The method as claimed in claim 1, wherein the communication and/ormessage are encrypted.
 12. The method as claimed in claim 1, wherein thecommunication and/or the message are dispatched and/or received by meansof short message service.
 13. The method as claimed in claim 1, whereinthe message is received via the Internet.
 14. The method as claimed inclaim 1, comprising: storing, when the communication is dispatched, acopy of the validation code so that the validation code is available forthe checking when the message is received later, and storing thevalidity information together with the validation code.
 15. A method forremotely controlling and/or regulating at least one system, comprising:generating a validation code having a limited period of validity, thevalidation code being variably generated to be valid only once for acommunication to be dispatched, adding validity information to thevalidation code, which validity information defines the limited periodof validity of the validation code, combining information relating tothe system and the validation code in accordance with a firstcombination rule, dispatching the communication by a communicationdevice assigned to the system, the communication comprising theinformation relating to the system, the validation code, and thevalidity information, and receiving a message after the communicationhas been dispatched, processing the received message, the processingcomprising; extracting a check code from the message according to afirst extraction rule, checking whether the message originates from areceiver of the communication based on the validation code and the checkcode, verifying whether the message is received within the limitedperiod of validity defined by the validity information, if the checkingand the verifying are successful, extracting instruction informationaccording to the first extraction rule from the message and implementingthe instruction information by the system.
 16. The method as claimed inclaim 15, wherein the adding of the validity information to thevalidation code comprises appending or prefixing the validityinformation to the validation code.
 17. The method as claimed in claim15, wherein the validation code is generated by a random numbergenerator.
 18. The method as claimed in claim 15, comprising: generatingdispatcher information by the receiver of the communication, adding, bythe receiver of the communication, the dispatcher information to themessage which the receiver generates, extracting the dispatcherinformation from the received message in accordance with a thirdextraction rule, identifying the dispatcher based on the dispatcherinformation and stored dispatcher data, if the checking, verifying, andidentifying are successful, implementing the instruction information bythe system, after the check code and dispatcher information have beenextracted from the message, and if at least one of the checking,verifying, and identifying is not successful, ignoring the instructioninformation.
 19. A method for remotely controlling and/or regulating atleast one system, comprising: generating a validation code having alimited period of validity, the validation code being variably generatedto be valid only once for a communication to be dispatched, addingvalidity information to the validation code, which validity informationdefines the limited period of validity of the validation code, combininginformation relating to the system and the validation code in accordancewith a first combination rule, dispatching the communication by acommunication device assigned to the system, the communicationcomprising the information relating to the system, the validation code,and the validity information, and receiving a message after thecommunication has been dispatched, processing the received message, theprocessing comprising; extracting a check code from the messageaccording to a first extraction rule, checking whether the messageoriginates from a receiver of the communication based on the validationcode and the check code, verifying whether the message is receivedwithin the limited period of validity defined by the validityinformation, and if the checking and the verifying are successful,extracting instruction information according to the first extractionrule from the message and implementing the instruction information bythe system, wherein in the dispatching, the validation code istransmitted in encrypted form, and after a decryption of the message orcheck code in the communications device, making the validity informationavailable in plain text, wherein the validity information is not storedin the communication device.
 20. The method as claimed in claim 19,wherein the adding of the validity information to the validation codecomprises appending or prefixing the validity information to thevalidation code.
 21. The method as claimed in claim 19, wherein thevalidation code is generated by a random number generator.
 22. Themethod as claimed in claim 19, comprising: generating dispatcherinformation by the receiver of the communication, adding, by thereceiver of the communication, the dispatcher information to the messagewhich the receiver generates, extracting the dispatcher information fromthe received message in accordance with a third extraction rule,identifying the dispatcher based on the dispatcher information andstored dispatcher data, if the checking, verifying, and identifying aresuccessful, implementing the instruction information by the system,after the check code and dispatcher information have been extracted fromthe message, and if at least one of the checking, verifying, andidentifying is not successful, ignoring the instruction information. 23.The method as claimed in claim 1, wherein the at least one systemcomprises an industrial system.
 24. The method as claimed in claim 15,wherein the at least one system comprises an industrial system.
 25. Themethod as claimed in claim 19, wherein the at least one system comprisesan industrial system.